Back to skill
Skillv1.0.1
ClawScan security
Simulated Roadtrip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 26, 2026, 10:01 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill largely does what it claims (calls a Turai API to generate stops), but there are multiple small inconsistencies (missing required env var in registry metadata, claims about Google Maps data and automatic posting that the code does not implement) that warrant caution before installing or running with real credentials.
- Guidance
- Before installing or running: (1) Be aware you must supply a TURAI_API_KEY (SKILL.md and script require it, but the registry metadata does not list it). (2) Confirm what Turai.org actually returns and whether it uses Google Maps data if that matters to you — the script only calls Turai, not Google directly. (3) The script only prints and can save JSON; it does not automatically post to chat/social platforms — if you expect automatic posting, review or add the integration code yourself. (4) Because the source and homepage are not provided, consider running the script in a sandbox or with a limited/revocable API key first, inspect network traffic, and read the code (it's short) to verify behavior. (5) If you need stronger assurance, ask the publisher for provenance (homepage, source repo, and explanation of data sources).
Review Dimensions
- Purpose & Capability
- concernThe description promises 'GPS-verified stops' and 'real Google Maps data', but the code calls only https://turai.org/api/agent/roadtrip and does not directly use Google Maps APIs. That could be legitimate if Turai provides Google-sourced data, but the skill metadata in the registry also claims 'Required env vars: none' while both SKILL.md and the script require TURAI_API_KEY — a clear metadata/code mismatch.
- Instruction Scope
- noteSKILL.md and the script are narrowly scoped: they send a POST to the Turai endpoint, format the returned stops, optionally save JSON and print/drip them to stdout. The SKILL.md mentions posting updates to chat/Moltbook/messaging channels, but the script itself does not integrate with any messaging API — posting must be performed by the agent or other glue code outside the script.
- Install Mechanism
- okNo install spec and only a small Node script are provided; nothing in the package downloads or executes remote artifacts. This is low-risk from an install perspective.
- Credentials
- concernRuntime requires a TURAI_API_KEY (used as x-api-key to turai.org) which is proportional to the described functionality. However, the registry metadata wrongly lists no required env vars/primary credential — that inconsistency is problematic because users may not realize they must provide an API key before running.
- Persistence & Privilege
- okThe skill does not request persistent placement (always:false) and does not modify other skills or system-wide settings. It only optionally writes an output JSON file path provided by the user.